b"U.S. DEPARTMENT OF COMMERCE\n          Office of Inspector General\n\n\n\n\n               BUREAU OF THE CENSUS\n\n Weaknesses in Census Bureau\xe2\x80\x99s Certification\n  And Accreditation Process Leave Security of\n    Critical Information Systems in Question\n\n   Final Inspection Report No. OSE-16519-1/August 2004\n\n\n\n\n                           PUBLIC\n                           RELEASE\n\n\n\n                            Office of Inspector General\n\x0cU.S. Department of Commerce                                                                            Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                                           September 2004\n\n\n\n\n                                                              CONTENTS\n\nEXECUTIVE SUMMARY ..............................................................................................................i\n\nINTRODUCTION ...........................................................................................................................1\n\nOBJECTIVES, SCOPE, AND METHODOLOGY .........................................................................3\n\nFINDINGS AND RECOMMENDATIONS....................................................................................5\n\nI.    Certification and Accreditation Packages Were Significantly Deficient .................................5\n      A. Risk Assessments Did Not Provide an Adequate Basis for Identifying Security\n         Requirements or Determining Whether Security Controls Are Sufficient.........................5\n      B. Sensitivity Assignments and Security Control Information in Security Plans Were\n         Inappropriate and Inconsistent ...........................................................................................5\n      C. Certification and Accreditation Decisions Were Based on Inadequate and Inconsistent\n         Testing ................................................................................................................................7\n      D. One National-Critical System Had No Contingency Plan .................................................9\n      E. Certification and Accreditation Memoranda Lacked Key Information .............................9\n      F. Conclusion........................................................................................................................10\n\nII. Designated Approving Authority for Accreditation Should Be Official with\n    Management, Operational, and Budget Authority Over System............................................14\nIII. Plans of Action and Milestones Did Not Accurately Reflect System Security\n     Deficiencies ............................................................................................................................15\nIV. Additional Efforts Are Needed to Improve Specialized Security Training............................16\nV. A Patch Management Process Has Been Established.............................................................17\nAttachment: Census Bureau's Response\n\x0cU.S. Department of Commerce                                                          Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                         September 2004\n\n\n\n                                          EXECUTIVE SUMMARY\n\nThe Federal Information Security Management Act (FISMA) 1 requires agencies to review their\ninformation security program annually and Offices of Inspector General (OIGs) to conduct\nindependent evaluations of those programs annually as well. Pursuant to FISMA, we evaluated\nthe Census Bureau\xe2\x80\x99s information security program in terms of its compliance with the act as well\nas with Office of Management and Budget (OMB) requirements and the Department of\nCommerce\xe2\x80\x99s IT security policy.\n\nCensus\xe2\x80\x99s IT system definitions were changed significantly in FY 2003. According to the bureau,\nit reexamined its inventory of IT systems and determined that based on the overall mission,\norganizational structure, and responsibilities of individual directorates, the inventory structure\nwas not reflective of operations. Census\xe2\x80\x99s IT Security Office therefore worked with contractors,\nsystem owners, and administrators to reorganize and consolidate the bureau\xe2\x80\x99s 87 systems.\nGrouping systems according to shared missions, ownership, and management yielded 11\nprogram area systems, each having an associated set of component systems. Of the 11 program\narea systems, 2 are designated national critical (part of the critical infrastructure), 7 as mission\ncritical, and 2 as business essential. 2 Each of the 11 systems and individual component systems\nhas a security plan.\n\nThe purpose of our review was to evaluate (1) Census\xe2\x80\x99s IT Security Program Policies, issued in\nMarch 2003, (2) the impact of the IT systems consolidation on system security and the\ncertification and accreditation process, (3) management and implementation of the plans of\naction and milestones (POA&M) process for program and system level weaknesses, (4) the\nbureau\xe2\x80\x99s plan to provide specialized IT security training to IT security officers and other staff\nhaving specialized IT security responsibilities, (5) the patch management process for correcting\nsystem security vulnerabilities, and (6) the bureau\xe2\x80\x99s incorporation of IT security into its capital\nplanning and investment control process. Our focus was the security of Census\xe2\x80\x99s national-critical\nand mission-critical systems.\n\nAt the time of our fieldwork, capital asset plans for FY 2006 were in preparation and\ncontinuously changing. We were therefore unable to evaluate whether they adequately\ndocumented system security requirements and appropriately justified projected security\nexpenditures. In addressing our remaining objectives, however, we found that Census\xe2\x80\x99s IT\nsecurity program generally conformed in structure and intent with requirements of the\nDepartment\xe2\x80\x99s IT security program policy and other mandates, but that in practice it did not\n\n\n1\n  Title III, E-Government Act of 2002 (P.L. 107-347).\n2\n  The Critical Infrastructure Act of 2001, 42 U.S.C. 5195c, which is part of the USA Patriot Act of 2001 (P.L. 107-\n56) defines critical infrastructure as \xe2\x80\x9csystems and assets, whether physical or virtual, so vital to the United States\nthat the incapacity or destruction of such systems and assets would have a debilitating impact on security, national\neconomic security, national public health or safety, or any combination of those matters.\xe2\x80\x9d According to OMB, an\ninfrastructure or resource is considered mission critical if its damage or destruction would have a debilitating impact\non the organization\xe2\x80\x99s ability to perform essential functions and activities. All other systems are considered business\nessential.\n\n\n\n                                                           i\n\x0cU.S. Department of Commerce                                              Inspection Report OSE-16519-1\nOffice Of Inspector General                                                             September 2004\n\n\n\nalways appropriately apply those requirements, with the result that critical systems may not be\nadequately protected. Our specific findings are as follows.\n\nCertification and Accreditation Packages Were                      Certification is the formal testing of the\nSignificantly Deficient. Certifying and accrediting                security safeguards and controls\ninformation systems is a critical element of the bureau\xe2\x80\x99s IT       implemented in a computer system to\nsecurity program. However, the certification and                   determine whether they meet applicable\naccreditation packages we reviewed did not comply with             requirements and specifications.\neither Department or FISMA requirements in a number of             Accreditation is management\xe2\x80\x99s formal\nareas: the documentation contained risk assessments that           authorization to allow systems to operate\ndid not sufficiently identify system vulnerabilities and thus      and it includes an explicit acceptance of\nfailed to serve as an adequate basis for identifying needed        the identified residual risks.\nsecurity controls; included security plans that assigned\n                                                                   System sensitivity refers to FISMA\xe2\x80\x99s three\nimproper and inconsistent sensitivity levels to systems and        security objectives for information and\ndid not adequately describe the controls that were in place        information systems: confidentiality,\nor needed; and did not provide a contingency plan for one          integrity, and availability. System owners\ncertified and accredited national-critical system. The             must assign a sensitivity level of high,\npackages also did not identify residual risks in the certified     medium, or low to each objective to\n                                                                   reflect the impact that a system\xe2\x80\x99s\nand accredited systems, and thus provided no evidence that         compromise would have on the agency\xe2\x80\x99s\nthe accrediting official understood the level of risk being        mission, and must justify the level\nassumed in authorizing system operations.                          assigned.\n\nFurther compromising IT system security was the bureau\xe2\x80\x99s\ndecision to certify systems at levels below those necessary to ensure their adequate testing in\norder to meet the Department\xe2\x80\x99s December 2003 deadline for certification and accreditation of all\nnational- and mission-critical systems. (See page 5.)\n\nDesignated Approving Authority Should Be Official with Management, Operational, and\nBudget Authority Over System. Departmental and OMB policy specify that designated\napproving authorities (DAAs) or accrediting officials must be program officials who have\nmanagement, operational, and budget authority for the system, and that they may not be system\nowners\xe2\x80\x94division or office chiefs. Census\xe2\x80\x99s policy, however, names its chief information officer\n(CIO) as the DAA for all systems, even though this official does not have the required authority\nover the bureau\xe2\x80\x99s entire inventory. (See page 13.)\n\nPlans of Action and Milestones (POA&Ms) Do Not Accurately Reflect System Security\nDeficiencies. Contrary to OMB and the Department\xe2\x80\x99s security policy, Census is not using\nPOA&Ms to list all identified security weakness and to track and manage efforts to resolve them.\nPOA&Ms did not identify residual risks for which additional controls are needed, the lack of\ncontingency plans, or the need for additional testing to ensure that systems are certified at a level\ncommensurate with their sensitivity. (See page 14.)\n\nAdditional Efforts Are Needed to Improve Specialized Security Training. Department\npolicy requires operating units to give specialized training to personnel who have significant IT\nsecurity responsibilities and to track the status of efforts to provide such training. We found\n\n\n\n                                                  ii\n\x0cU.S. Department of Commerce                                                             Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                            September 2004\n\n\n\nlimited progress in meeting these requirements at Census. While the bureau has identified\npositions for which specialized training is necessary, few of these staff have completed available\nsecurity courses. Census is developing a capability to track training activity and expects to have\nthis capability by the end of FY 2004. (See page 15.)\n\nA Patch Management Process Has Been Established. As required by Department policy,\nCensus has implemented a patch management process to identify, test, apply, and monitor the\nstatus of security patches 3 relevant to bureau systems. The process determines the need for\npatches and acquires, tests, applies, and monitors them on all information system components.\n(See page 16.)\n\nWe made numerous recommendations to Census for improving its certification and accreditation\npackages, ensuring POA&Ms document all known security weaknesses, and ensuring bureau\npersonnel having IT security responsibility receive specialized training. Bureau officials have\nbeen receptive to our recommendations and have begun to take actions to implement many of\nthem.\n\n                                                             \xe2\x80\xa6\n\nIn its response to our draft report, Census stated that it generally agreed with our findings and\ndescribed actions being taken or planned to address our recommendations. However, several of\nthe actions do not adequately address the corresponding recommendation. The bureau needs to\nensure that the residual risks of its IT systems are not accepted unless the remaining known\nvulnerabilities pose an acceptable level of risk to agency operations and assets, testing\ncommensurate with the level of each system\xe2\x80\x99s sensitivity is performed, and POA&Ms contain all\nknown information security weaknesses, including those identified through certification and\naccreditation. Following each recommendation, we have included a brief synopsis of the\nbureau\xe2\x80\x99s response and, where appropriate, our comments. The bureau\xe2\x80\x99s complete response is\nincluded as an attachment to this report.\n\n\n\n\n3\n    A patch is a piece of software code that is inserted into a program to fix a defect or eliminate a vulnerability.\n\n\n\n\n                                                             iii\n\x0cU.S. Department of Commerce                                            Inspection Report OSE-16519-1\nOffice Of Inspector General                                                           September 2004\n\n\n\n                                               INTRODUCTION\n\nThe Federal Information Security Management Act (FISMA) 1 requires agencies to review their\ninformation security program annually and Offices of Inspector General (OIGs) to conduct\nindependent evaluations of those programs annually as well. Pursuant to FISMA, we evaluated\nthe Census Bureau\xe2\x80\x99s information security program, looking at its compliance with FISMA,\nOffice of Management and Budget (OMB) requirements, and the Department of Commerce\xe2\x80\x99s IT\nsecurity policy.\n\nThe Census Bureau\xe2\x80\x99s IT Security Program Policies, issued in March 2003, provides the\nrequirements for its information security program. It specifies mandatory and recommended\nprogram management practices; security roles and responsibilities for bureau managers,\nemployees, and contractors; and policies regarding management, operational, and technical\ncontrols. Aside from one exception (see finding II of this report), the bureau\xe2\x80\x99s policy is\ngenerally consistent with the Department of Commerce\xe2\x80\x99s IT security program policy.\n\nThe associate director for information technology and chief information officer (CIO) is\nresponsible for implementing and overseeing the bureau\xe2\x80\x99s IT security program. The IT security\nofficer heads the IT security office and reports to the CIO. The IT security officer is the bureau\xe2\x80\x99s\nIT security authority, serves as the central point of contact for the IT security program, and has\nauthority for setting the program\xe2\x80\x99s day-to-day direction and overall goals, objectives, and\npriorities. System owners\xe2\x80\x94division or office chiefs throughout the bureau\xe2\x80\x94are responsible for\ncomplying with all IT security program policies and procedures and coordinating and\nimplementing security controls for information systems under their control. System owners\nappoint division security officers to implement system- level security controls and maintain\nsystem documentation.\n\nCertifying and accrediting information systems is a critical element of the bureau\xe2\x80\x99s IT security\nprogram. Certification is the formal testing of the security safeguards and controls implemented\nin a computer system to determine whether they meet applicable requirements and specifications.\nThe system certifier, through the formal testing process, identifies residual risks\xe2\x80\x94those risks that\nwere not eliminated by implementation of security controls. Accreditation is management\xe2\x80\x99s\nformal authorization to allow systems to operate, and it includes an explicit acceptance of the\nidentified residual risks. The accrediting official, known as the designated approving authority\n(DAA), relies on input from the certifier in determining whether to authorize system operation.\nThe DAA may decide additional controls should be implemented to reduce or eliminate the\nresidual risks, or may determine the residual risks are low and controls not cost-effective.\n\nDepartment policy requires Commerce operating units to follow the National Security Agency\xe2\x80\x99s\nNational Information Assurance Certification and Accreditation Process (NIACAP) for\ncertifying and accrediting systems, but to document the process in a system security plan\ncertification and accreditation package (as opposed to using NIACAP documentation\nguidelines). This package is to include a risk assessment, system security plan, contingency\n\n1\n    Title III, E-Government Act of 2002 (P.L. 107-347).\n\n\n                                                          1\n\x0cU.S. Department of Commerce                                                          Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                         September 2004\n\n\n\nplan, certification test plan and test results, identification of residual risks, the certifier\xe2\x80\x99s\nrecommendation, and an accreditation statement signed by the DAA indicating whether the\nsystem is authorized to operate and, if so, affirming that this official understands any related\nresidual risks.\n\nFurther, the Office of Management and Budget (OMB) requires agencies to prepare plans of\naction and milestones (POA&Ms) that reflect all known IT security weaknesses within the\nagency and its components or bureaus. The agency, major components and program officials,\nand the IG are to use POA&Ms as the authoritative management mechanism to prioritize, track,\nand manage all agency efforts to close security gaps. POA&Ms thus provide the means for\ndocumenting security weaknesses identified during certification and other review processes.\n\nIT Systems Redefined\n\nCensus\xe2\x80\x99s IT system definitions were changed significantly in FY 2003. According to the bureau,\nit reexamined its inventory of IT systems and determined that based on the overall mission,\norganizational structure, and responsibilities of individual directorates, the inventory structure\nwas not reflective of operations. Census\xe2\x80\x99s IT Security Office therefore worked with contractors,\nsystem owners, and administrators to reorganize and consolidate the bureau\xe2\x80\x99s 87 systems.\nGrouping systems according to shared missions, ownership, and management yielded 11\nprogram area sys tems, each having an associated set of component systems. Of the 11 program\narea systems, 2 are designated national critical (part of the critical infrastructure), 7 as mission\ncritical, and 2 as business essential. 2\n\nThe bureau developed security plans for each of these 11 systems, as well as for the component\nsystems. Each program area security plan is intended to document the management, operational,\nand technical controls that apply to associated component systems, whereas the security plans for\nthe individual component systems are to describe controls specific to each component.\n\n\n\n\n2\n  The Critical Infrastructure Act of 2001, 42 U.S.C. 5195c, which is part of the USA Patriot Act of 2001 (P.L. 107-\n56) defines critical infrastructure as \xe2\x80\x9csystems and assets, whether physical or virtual, so vital to the United States\nthat the incapacity or destruction of such systems and assets would have a debilitating impact on security, national\neconomic security, national public health or safety, or any combination of those matters.\xe2\x80\x9d According to OMB, an\ninfrastructure or resource is considered mission critical if its damage or destruction would have a debilitating impact\non the organization\xe2\x80\x99s ability to perform essential functions and activities. All other systems are considered business\nessential.\n\n\n\n                                                           2\n\x0cU.S. Department of Commerce                                           Inspection Report OSE-16519-1\nOffice Of Inspector General                                                          September 2004\n\n\n\n\n                      OBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe purpose of our review was to evaluate (1) Census\xe2\x80\x99s IT Security Program Policies, issued in\nMarch 2003, (2) the impact of the IT systems consolidation on system security and the\ncertification and accreditation process, (3) management and implementation of the POA&M\nprocess for program and system level weaknesses, (4) the bureau\xe2\x80\x99s plan to provide specialized IT\nsecurity training to IT security officers and other staff having specialized IT security\nresponsibilities, (5) the patch management process for correcting system security vulnerabilities,\nand (6) the bureau\xe2\x80\x99s incorporation of IT security into its capital planning and investment control\nprocess.\n\nA principal focus of our evaluation was a review of certification and accreditation materials. For\nthe bureau\xe2\x80\x99s two national-critical IT systems, we evaluated complete certification and\naccreditation packages, which included system security plans, self-assessments, risk assessments,\ncontingency planning information, results of vulnerability scans, and security test and evaluation\nmaterials. At the time of our fieldwork, the bureau was revising the certification and\naccreditation packages for its seven mission-critical systems; consequently, we were only able to\nevaluate the security plans for these systems, as the other materials were undergoing changes.\n\nWe used the following as criteria for assessing the bureau\xe2\x80\x99s security program:\n\n\xe2\x80\xa2   FISMA\n\xe2\x80\xa2   OMB Memorandum M-03-19, \xe2\x80\x9cReporting Instructions for the Federal Information Security\n    Management Act and Updated Guidance on Quarterly IT Security Reporting\xe2\x80\x9d\n\xe2\x80\xa2   National Security Telecommunications and Information Systems Security Instruction No.\n    1000, National Information Assurance Certification and Accreditation Process (NIACAP)\n\xe2\x80\xa2   OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated Information Systems\xe2\x80\x9d\n\xe2\x80\xa2   NIST Special Publication 800-16, Information Technology Security Training Requirements:\n    A Role- and Performance-Based Model\n\xe2\x80\xa2   NIST Special Publication 800-18, Guide for Developing Security Plans for Information\n    Technology Systems\n\xe2\x80\xa2   NIST Special Publication 800-26, Security Self-Assessment Guide for Information\n    Technology Systems\n\xe2\x80\xa2   NIST Special Publication 800-30, Risk Management Guide for Information Technology\n    Systems\n\xe2\x80\xa2   U.S. Department of Commerce, IT Security Program Policy and Minimum Implementation\n    Standards\n\xe2\x80\xa2   U.S. Department of Commerce, System Security Plan Certification and Accreditation\n    Package (SSPCAP) Requirements Inspection Checklist, version 2, June 30, 2003\n\nIn addition to reviewing certification and accreditation materials, we assessed the bureau\xe2\x80\x99s IT\nsecurity policy and met with its CIO, IT security officer, and IT security staff. Because our\nfindings on system consolidation contain sensitive information, we have presented them in a\n\n\n\n                                                 3\n\x0cU.S. Department of Commerce                                           Inspection Report OSE-16519-1\nOffice Of Inspector General                                                          September 2004\n\n\n\nseparate draft report entitled, The Census Bureau Should Redefine Its National-Critical Systems,\nOSE-16519-2.\n\nAt the time of our fieldwork, the bureau was preparing capital asset plans for submission to the\nDepartment as part of the FY 2006 budget request. Because these plans were incomplete and\ncontinuously changing, we were unable to evaluate whether they contained adequate\ndocumentation for system security requirements and appropriate justification for projections of\nsecurity expenditures.\n\nWe conducted our evaluation in accordance with the Quality Standards for Inspections issued by\nthe President\xe2\x80\x99s Council on Integrity and Efficiency and under the authority of the Inspector\nGeneral Act of 1978, as amended. We performed our fieldwork between November 2003 and\nApril 2004.\n\n\n\n\n                                                4\n\x0cU.S. Department of Commerce                                                           Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                          September 2004\n\n\n\n\n                                 FINDINGS AND RECOMMENDATIONS\n\nI. Certification and Accreditation Packages Were Significantly Deficient\n\nThe certification and accreditation packages we reviewed had incomplete and inaccurate security\nplans and risk assessments, and one national-critical system was certified and accredited without\nhaving a contingency plan. The packages did not identify residual risks in the certified and\naccredited systems. Neither did they address whether the accrediting official understood the\nlevel of risk being assumed in authorizing system operations. Finally, the bureau\xe2\x80\x99s national-\ncritical and mission-critical systems were certified and accredited without adequate testing.\n\nA. Risk Assessments Did Not Provide an Adequate Basis for Identifying Security\n   Requirements or Determining Whether Security Controls Are Sufficient\n\nDepartment policy and NIST SP 800-30, Risk Management Guide for Information Technology\nSystems, require agencies to identify system vulnerabilities, threats, and associated impacts so\nthat appropriate and cost-effective controls can be established to mitigate related risks. The\nbureau\xe2\x80\x99s risk assessments for three of the four components of its national-critical systems were\nchecklists on which the reviewer indicated whether or not listed security controls were\nimplemented and/or applicable to the component. However, the assessments did not identify\nvulnerabilities, threats, impacts, and risks affecting the component systems. Thus, the risk\nassessments failed to serve as an adequate basis for determining whether the existing security\ncontrols were appropriate and whether additional controls were needed.\n\nB. Sensitivity Assignments and Security Control Information in Security Plans Were\n   Inappropriate and Inconsistent\n\nFISMA defines three security objectives for information and information systems:\nconfidentiality, integrity, and availability. System owners must assign a sensitivity level of high,\nmedium, or low to each objective to reflect the impact that a system\xe2\x80\x99s compromise would have\non the agency\xe2\x80\x99s mission, and must justify the level assigned. For example, the owner of a system\nthat collects, processes, and distributes information subject to Title 13 and Title 26 3 restrictions\nmight assign a sensitivity level of high to confidentiality and integrity, but medium to availability\nif system users can tolerate system outages lasting several days. Sensitivity assignments are used\nto establish the appropriate security controls needed to adequately protect the data. They also\ndetermine the rigor of testing and analysis required to certify and accredit a system.\n\nImproper and inconsistent sensitivity levels\n\nThe sensitivity assignments in the security plans we reviewed were not always appropriate to the\nsystem or were inconsistent with the program area that a particular system supported. For\nexample, the plan for an infrastructure system assigned sensitivity levels of medium for\n\n3\n    Titles 13 and 26 of the United States Code place restrictions on the disclosure of collected information.\n\n\n                                                            5\n\x0cU.S. Department of Commerce                                              Inspection Report OSE-16519-1\nOffice Of Inspector General                                                             September 2004\n\n\n\nconfidentiality, medium for integrity, and high for availability. Yet the plans for systems that\nrely on this infrastructure system assigned sensitivity levels of high for all three objectives. If\nthe infrastructure system is supporting systems that must be rigorously protected against\nunauthorized access, change, or damage and if it is relied upon by systems that must provide\ntimely and reliable access to their information, the sensitivity levels for all three objectives of the\ninfrastructure system must also be high. We discussed this discrepancy with bureau IT security\nstaff, who agreed that the sensitivity levels for confidentiality, integrity, and availability for the\ninfrastructure system should match those of the systems relying on it.\n\nIn addition, assigned sensitivity levels in security plans for some program area systems were not\nadequately supported, and in some instances the justification narrative actually supported the\nneed for a higher level or did not match the system being described. For example, the\njustification for the infrastructure system\xe2\x80\x99s medium sensitivity level for confidentiality stated,\n\xe2\x80\x9cData collected and stored in the Census Bureau\xe2\x80\x99s infrastructure systems contains demographic\nand economic information that, if disclosed to unaut horized sources, would cause a violation of\nTitles 26 and 13, U.S.C.\xe2\x80\x9d This justification supports a sensitivity assignment of high for\nconfidentiality. In another case, a justification incorrectly characterized a system\xe2\x80\x99s functions,\nnoting that a medium level for availability was required to ensure currency of budget information\nand timeliness of financial reports, even though the system processes geography\xe2\x80\x94not budget\xe2\x80\x94\ndata, and does not produce financial reports.\n\nInappropriate security controls\n\nThe Department\xe2\x80\x99s policy and guidance state that security plans must describe the management,\noperational, and technical controls that are and will be implemented to meet system security\nrequirements.\n\nBureau officials told us that security plans for program area systems are to document the\nmanagement, operational, and technical controls that apply to all component systems, whereas\nthe plans for component systems should describe controls specific to each component. However,\nthe security plans we reviewed did not provide sufficient detail about security controls: the\nprogram area plans for the two national-critical systems did not describe planned or implemented\ncontrols either for themselves or their component systems. Instead, the plans described the\npurpose of each control and contained a copy of the bureau\xe2\x80\x99s security policy for that control.\n\nFurthermore, security plans for some individual components of the national-critical systems did\nnot provide accurate, complete, and detailed descriptions of controls that were implemented and\nplanned. For example, one of the plans did not address any technical controls; another described\nidentification and authentication controls that did not conform to the bureau\xe2\x80\x99s password policy.\n\nIn reviewing the program area sys tem security plans for the seven mission-critical systems, we\nfound that they, like their national-critical counterparts, did not describe controls but merely\nrepeated portions of the bureau\xe2\x80\x99s security policy.\n\n\n\n\n                                                   6\n\x0cU.S. Department of Commerce                                                        Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                       September 2004\n\n\n\n\nC. Certification and Accreditation Decisions Were Based on Inadequate and Inconsistent\n   Testing\n\nThe Department CIO established a deadline of December 31, 2003, for certification and\naccreditation of all national-critical and mission-critical systems, and the bureau reported that it\nhad met the deadline. However, we found that, in meeting the deadline, Census certified its\nsystems at levels below those required to ensure they were adequately tested. NIACAP requires\nthat systems be certified at one of four levels, with level 1 representing the least rigorous\nverification of security controls and level 4 representing the most rigorous. The certification\nlevel is dictated by the system\xe2\x80\x99s sensitivity level, which, as noted earlier, is determined by the\ncriticality of the information processed and is used to establish the appropriate security controls\nneeded to adequately protect the data. The increasing rigor of testing as system sensitivity\nincreases is designed to give agencies greater assurance that systems with higher confidentiality,\nintegrity, and availability requirements are protected and to help them avoid spending resources\nunnecessarily on lower risk systems.\n\nThe levels at which the bureau was planning to certify its critical systems\xef\xa3\xa7level 3 for its\nmission-critical infrastructure system and level 2 for its national-critical and remaining mission-\ncritical systems\xef\xa3\xa7are not commensurate with the sensitivity of these systems. And in fact, in\nmeeting the Department deadline, the bureau certified mission-critical systems\xe2\x80\x94including\ninfrastruc ture\xe2\x80\x94at level 1, as the process at this level was more expedient. National-critical\nsystems were certified at level 2, as planned.\n\nThe required testing at these levels was not rigorous enough to determine whether the systems\xe2\x80\x99\nsecurity controls provided the needed protection. Bureau officials told us that they planned to\nperform additional testing after the December deadline and increase certification levels\naccordingly. However, systems have not yet been tested at the appropriate level.\n\nCertification l evels were not commensurate with system sensitivity\n\nCertification using NIACAP requires testing of system security controls, a process generally\nreferred to as certification testing or security test and evaluation, to determine whether all\nrequired controls for ensuring confidentiality, integrity, and availability have been implemented\nand are performing as intended. The amount and type of testing is determined by the\ncertification level (see table 1). Although the additional testing for level 4 is not defined, in our\nopinion it should include internal penetration testing. 4\n\nIn determining the level at which to certify its systems, the bureau did not apply Department\nguidance appropriately and determined that both of its national-critical systems and six of its\nseven mission-critical systems should be certified at level 2, and the remaining mission-critical\nsystem (infrastructure) should be certified at level 3. Based on their sensitivity, however, all of\n\n4\n An internal penetration test mimics an internal attack by a malicious employee/user and is intended to reveal\nweaknesses that allow for misappropriation of or damage to sensitive data.\n\n\n\n                                                         7\n\x0cU.S. Department of Commerce                                                         Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                        September 2004\n\n\n\nthese systems should be certified at a level 3 or 4. The lower levels mean that the systems would\nbe certified with inadequate testing. The bureau\xe2\x80\x99s decision to certify all mission-critical systems\nat level 1 to meet the Department\xe2\x80\x99s deadline only made matters worse, as even less testing was\nrequired. Bureau officials stated that they intended to increase the certification level of six of\nthese systems to level 2 and the infrastructure system to level 3 by December 31, 2004, and\nconduct the additional testing required. As discussed below, the additional testing Census\nplanned and had conducted at the time of our fieldwork was not sufficient.\n\n\n                          Table 1. Required Testing by Level of Certification\n\n                            Certification\n                                                                Testing\n                               Level\n                                               Checklist: using NIST SP 800-26,\n                                   1           Security Self-Assessment Guide for\n                                               Information Technology Systems\n                                               Abbreviated: Level 1 plus system\n                                   2\n                                               vulnerability scanning\n\n                                               Moderate: Level 2 plus external\n                                   3\n                                               penetration testing 5\n\n                                               Extensive: more rigorous than\n                                   4\n                                               Level 3\n\n\nFurther, we note that neither NIACAP nor Department policy endorses the incremental approach\nto certification the bureau was pursuing. Systems that are not tested at a level commensurate\nwith their confidentiality, integrity, and availability requirements should not be considered\ncertified and accredited, nor should they be reported as such.\n\nCertification testing was incomplete\n\nCensus developed 267 tests, which map directly to its IT security policy, as the basis for\ncertification testing. Each policy item that could be interpreted as a security requirement was\nassigned a unique number, and a test was developed to evaluate the effectiveness of its\nimplementation. Because the bureau\xe2\x80\x99s policy covers the management, operational, and technical\ncontrols discussed in NIST\xe2\x80\x99s IT self-assessment guide, as required by Department policy, as well\nas other required controls, 6 this set of tests adequately supports level 1 certification testing. In\n\n\n5\n  An external penetration test mimics an attack by an external entity attempting to breach internal networks via the\nInternet.\n6\n  Including those in NIST guidance for developing IT system security plans.\n\n\n                                                          8\n\x0cU.S. Department of Commerce                                            Inspection Report OSE-16519-1\nOffice Of Inspector General                                                           September 2004\n\n\n\naddition, the bureau performs vulnerability scans on all systems and intends to conduct external\npenetration testing for its level 3 system.\n\nIn certifying its 2 national-critical systems, the bureau determined that 30 of its 267 tests were\nnot applicable. It thus completed certification using the remaining 237 tests, as well as\nvulnerability scans. In certifying the 6 mission-critical systems at level 1, the bureau used only\n130 of the 267 tests, reportedly to mitigate the considerable time and resources required to test\nthe more than 80 component systems subsumed by the 6. But this subset of tests provides a\nmuch less exhaustive analysis of controls and, based on Department guidance, is not sufficient\neven for level 1 certification. Moreover, in increasing certification to level 2 for the 6 mission-\ncritical systems, the bureau reported that it planned only to rescan these systems, but not apply\nthe tests that had been omitted previously. To be adequately evaluated at level 2, all components\nof mission-critical systems must be subjected to all applicable tests from the full complement of\n267, in addition to vulnerability scanning.\n\nD. One National -Critical System Had No Contingency Plan\n\nContingency plans are imperative: they establish the backup and recovery procedures for\nrestoring a system\xe2\x80\x99s essential functions in the event of system loss or damage. Our review of the\ncertification and accreditation package for one of Census\xe2\x80\x99s two national-critical systems found\nthe following contingency planning deficiencies: (1) the contingency planning section of the\nprogram area security plan indicated that contingency information was included in an appendix,\nbut the appendix did not exist; (2) there was no contingency plan for one of the system\xe2\x80\x99s two\ncomponent systems, although a memorandum contained in the package stated that a plan was\nunder development and would be completed and tested about 4 months after certification and\naccreditation; and (3) a plan for resuming business existed for the second component, but the\npackage included a memorandum noting that a more robust plan would be developed and tested\nabout 5 months following certification and accreditation.\n\nContingency plans should be prepared before systems are certified and accredited. At the very\nleast, before certification was granted, the certifier should have noted the missing appendix and\nensured that it was included and contained the required information. The certification and\naccreditation package should have identified the lack of contingency plans as a residual risk\nneeding correction.\n\nE. Certification and Accreditation Memoranda Lacked Key Information\n\nDepartment guidance issued in June 2003 specifies that each system certification and\naccreditation package must include a memorandum, signed by the system certifier, that\nsummarizes and affirms the results of the certification tests; identifies residual risks; and\nrecommends specific corrective actions as warranted as well as whether accreditation should be\ngranted in full, for an interim period, or denied. The package also is to include an accreditation\nstatement signed by the DAA stating (1) what accreditation action was taken and (2) that the\nDAA understands and accepts any residual risks of operating the system. This statement may\n\n\n\n\n                                                 9\n\x0cU.S. Department of Commerce                                             Inspection Report OSE-16519-1\nOffice Of Inspector General                                                            September 2004\n\n\n\nalso direct the system owner to take action to further mitigate risk and to track such actions in a\nPOA&M.\n\nThe certification and accreditation package s for both of the bureau\xe2\x80\x99s national-critical systems\nincluded a memorandum signed by the certifier, the DAA, a bureau program manager, and two\nuser representatives. However, the signing DAA was the CIO, which, as noted in finding II, is\ninappropriate because the CIO does not have management, operational, and budget authority for\nthese systems. Moreover, neither memorandum identifies residual risks and associated\ncorrective actions or includes an accreditation recommendation. Nor do the packages contain an\naccreditation statement. In fact, residual risks were not identified anywhere in the package.\nWithout an explicit identification of risks, it is unclear how the test results were interpreted by\nthe certifier, what particular risks the DAA agreed to assume, and whether the accrediting\nofficial fully understood the risks being accepted. The bureau\xe2\x80\x99s IT security officer indicated that\nin the accreditation briefing for these systems presented to the CIO, residual risks were\ndiscussed, but acknowledged that they had not been formally documented in the memoranda,\nelsewhere in the package, or on system POA&Ms.\n\nF. Conclusion\n\nWe discussed the problems we had identified in each system\xe2\x80\x99s certification and accreditation\nmaterials with bureau IT security officials, who generally agreed with our findings. They\nacknowledged the weaknesses with their risk assessments and are developing a new policy based\non NIST risk assessment guidance. They indicated that a draft policy and associated risk\nassessment templates are nearing completion and that training on using the templates will be\nprovided. Census needs to review the risk assessments for all program area and component\nsystems after they are revised to ensure they contain complete and accurate information for\ndetermining system security controls.\n\nThe problems we identified with sensitivity assignments and lack of documented security\ncontrols are significant and should have been identified in the certification and accreditation\nprocess. Once identified, the appropriate sensitivity and controls should have been determined,\nand the systems reviewed to ascertain whether the required controls were implemented and\nworking as intended. Because we found serious problems in some of the bureau\xe2\x80\x99s most critical\nsystems, we are concerned that other sensitive systems may have similar shortcomings; they\ntherefore need to be reviewed. If new security requirements and the need for additional security\ncontrols are identified as the risk assessments are revised and sensitivity levels reviewed, Census\nneeds to ensure that appropriate security controls are implemented on the applicable systems and\ndocumented in security plans.\n\nWe advised Census that systems having high sensitivity levels for confidentiality, integrity, and\navailability should be certified at a level no less than 3, and require more extensive testing of\nsecurity controls. Bureau officials told us the incremental certification and accreditation\napproach would be abandoned, the two national-critical systems and six of the mission-critical\nsystems would be certified at level 3, the mission-critical infrastructure system would be certified\nat level 4, and appropriate testing would be performed. However, as of June 2004, the two\n\n\n\n                                                 10\n\x0cU.S. Department of Commerce                                                    Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                   September 2004\n\n\n\nnational-critical systems and six mission-critical systems had been certified at level 2 rather than\nlevel 3 and the mission-critical infrastructure system at level 3 rather than level 4. The bureau\ndid, however, use all 267 tests for these certifications.\n\nLevel 2 does not provide sufficient testing for mission-critical or national-critical systems.\nMission-critical systems should be certified at level 3 or 4 depending on their sensitivity. Our\ndraft report on the bureau\xe2\x80\x99s definition of its national-critical systems discusses the requirements\nfor their use in a national security emergency and recommends that they be certified at level 4. 7\n\nRecommendations\n\nThe director of the Census Bureau should ensure that:\n\n1. A new risk assessment policy based on NIST SP 800-30, Risk Management Guide for\n   Information Technology Systems, is developed and appropriate training provided.\n\nSynopsis of Census\xe2\x80\x99s Response: The response states that the bureau\xe2\x80\x99s IT security office has\nissued a policy memorandum concerning the requirement to use NIST 800-30 as a guideline for\npreparing risk assessments and that a subsequent memorandum was issued by the CIO to\nreiterate the requirement. The IT security officer conducted formal training for all security\nofficers and is working with program personnel to ensure they understand the requirements for\nrisk management.\n\n2. Risk assessments are revised using the new risk assessment methodology.\n\nSynopsis of Census\xe2\x80\x99s Response: All risk assessments are being revised and the responsible\nofficial is acknowledging and accepting in writing any residual risks noted in the assessment.\nThis information will be included in certification and accreditation documentation and presented\nto the system owner and DAA. This action is to be completed by September 30, 2004.\n\nOIG Comment: Census officials should not accept residual risks unless the remaining known\nvulnerabilities pose an acceptable level of risk to agency operations and assets.\n\n3. Specified sensitivity levels for confidentiality, integrity, and availability are appropriate,\n   accurately justified, and consistent across all systems by having\n\n    a. system owners review the sensitivity levels specified in their program area security plans\n       and revise them as necessary; and\n\n    b. the bureau\xe2\x80\x99s IT security officer review the sensitivity levels in all security plans to ensure\n       they are appropriate and consistent across all systems.\n\n\n\n7\n  The Census Bureau Should Redefine Its National-Critical Systems, Draft Inspection Report No. OSE-16519-2,\nJuly 2004.\n\n\n                                                      11\n\x0cU.S. Department of Commerce                                             Inspection Report OSE-16519-1\nOffice Of Inspector General                                                            September 2004\n\n\n\nSynopsis of Census\xe2\x80\x99s Response: System owners and the IT security staff have reviewed the\nsensitivity levels in all security plans to ensure they are appropriate and consistent.\n\n4. All program area and component system security plans are reviewed and revised as needed to\n   provide detailed descriptions of security controls that are in place and planned.\n\nSynopsis of Census\xe2\x80\x99s Response: System owners and IT security staff are reviewing the\nsecurity plans to ensure that they present a sufficiently detailed description of the security\ncontrols in place or planned.\n\n5. Any needed changes to a system\xe2\x80\x99s security controls identified in revised risk assessments and\n   security plans are implemented as soon as possible.\n\nSynopsis of Census\xe2\x80\x99s Response: After the risk assessments and security plans are updated and\nrequired changes to security controls identified, the IT security office will track their\nimplementation using Plans of Action and Milestones (POA&M).\n\n6. System certification and accreditation packages include\n\n   a. a memorandum signed by the certifier summarizing and affirming the results of\n      certification tests, identifying residual risk not mitigated by adequate controls,\n      recommending specific corrective actions as warranted, and advising whether the\n      accrediting official should grant either full or interim accreditation, or should deny\n      accreditation; and\n\n   b. an accreditation statement signed by the DAA stating, among other things, whether full\n      or interim accreditation was granted, or whether it was denied, and that the DAA\n      understands and accepts any residual risk of operating the system if processing is\n      authorized.\n\nSynopsis of Census\xe2\x80\x99s Response: The certification and accreditation of all critical systems were\ncompleted by May 19, 2004.\n\nOIG Comment: This response does not indicate whether certification and accreditation of\ncritical systems was completed in accordance with this recommendation. The bureau should\nensure that certificatio n and accreditation packages include the specified elements.\n\n7. By December 31, 2004, all mission-critical systems are certified and accredited at the\n   appropriate level\xe2\x80\x94either level 3 or 4\xe2\x80\x94depending on their sensitivity.\n\nSynopsis of Census\xe2\x80\x99s Response: The bureau is developing a process for internal penetration\ntesting of its mission-critical systems that will not interfere with critical processing schedules and\nis attempting to complete testing by the target date.\n\n\n\n\n                                                 12\n\x0cU.S. Department of Commerce                                            Inspection Report OSE-16519-1\nOffice Of Inspector General                                                           September 2004\n\n\n\nOIG Comment: The bureau\xe2\x80\x99s response refers only to internal penetration testing, which is\nneeded for certifying level 4 systems, but does not address external penetration testing, which is\nneeded for certifying both level 3 and level 4 systems. The bureau should ensure that\nappropriate testing is performed.\n\n8. Contingency planning information in all program area and component system security plans\n   is reviewed and revised to ensure its accuracy, and newly developed contingency plans are\n   included in the certification and accreditation package for the system.\n\nSynopsis of Census\xe2\x80\x99s Response: The IT security office is working with the program areas to\nensure that contingency plans are accurate and complete, and is conducting joint reviews with\nstaff managing the bureau\xe2\x80\x99s continuity of operations planning. Revised plans will be included in\ncertification and accreditation packages.\n\n\n\n\n                                                13\n\x0cU.S. Department of Commerce                                                  Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                 September 2004\n\n\n\nII.     Designated Approving Authority for Accreditation Should Be Official with\n        Management, Operational, and Budget Authority Over System\n\nOMB Circular A-130 and the Department\xe2\x80\x99s policy both specify that designated approving\nauthorities must be program officials who have management, operational, and budget authority\nfor the system, and that DAAs may not be system owners. Census\xe2\x80\x99s policy is at odds with these\nrequirements on two fronts. First, it names its CIO as the approving authority for all systems.\nHowever, the CIO does not have management, operational, and budget authority for the bureau\xe2\x80\x99s\nentire inventory of systems, and should therefore be DAA for only those over which he has such\nauthority (e.g., technology infrastructure). Second, the bureau\xe2\x80\x99s policy allows the CIO or the\nCensus Bureau director to make the system owner the DAA. During our fieldwork, we informed\nthe bureau\xe2\x80\x99s IT security officer of these policy discrepancies, and he agreed to update the policy\nto conform to that of the Department.\n\nBecause bureau systems are tied to its technology infrastructure, the bureau\xe2\x80\x99s CIO has issued a\nmemorandum stating that, for all but the infrastructure system, he will sign the accreditation\nmemorandum to indicate his understanding of the system\xe2\x80\x99s status, any residual risk, and specific\ninformation relating to its certification and accreditation. The rationale is that the CIO is\nresponsible for the technology infrastructure, and vulnerabilities in any connected system would\nleave the entire network vulnerable. The CIO\xe2\x80\x99s memorandum also identifies by name the bureau\nprogram official having management, operational, and budget authority for each system as its\nDAA. Because this role will likely be a new one for these officials, they will need information\nand training to ensure they fully understand their responsibilities. This is consistent with the\nrecent memorandum from the Secretary of Commerce emphasizing the need for continued high\npriority for IT security, including sufficient training for accrediting officials. 8\n\nRecommendations\n\nThe director of the Census Bureau should ensure that:\n\n1. The bureau\xe2\x80\x99s information security policy is revised to require the DAA to be a program\n   official with management, operational, and budget authority for the system being accredited.\n\nSynopsis of Census\xe2\x80\x99s Response: The bureau will assign the DAA role to program officials\nwith management. operational, and budget authority for the system being accredited. The\nCensus Bureau CIO will countersign the authorization.\n\n2. Program officials who will assume the role of DAA fully understand their new\n   responsibilities and are adequately trained.\n\nSynopsis of Census\xe2\x80\x99s Response: The IT security officer has issued written guidance to DAAs\non their roles and responsibilities, and with assistance from the Human Resources Division, is\ndeveloping methods to provide formal training.\n8\n Memorandum from the Secretary of Commerce to Secretarial Officers and Heads of Operating Units, \xe2\x80\x9cContinued\nHigh Priority of IT Security,\xe2\x80\x9d June 29, 2004.\n\n\n                                                    14\n\x0cU.S. Department of Commerce                                           Inspection Report OSE-16519-1\nOffice Of Inspector General                                                          September 2004\n\n\n\nIII.   Plans of Action and Milestones Did Not Accurately Reflect Sys tem Security\n       Deficiencies\n\nBoth OMB and the Department\xe2\x80\x99s security policy require that POA&Ms reflect all known IT\nsecurity weaknesses and that agencies use these documents as their authoritative management\nmechanism to prioritize, track, and manage all efforts to close security gaps. The POA&Ms we\nreviewed did not list any of the weaknesses identified by the bureau during the certification and\naccreditation process. For example, although Census officials recognized weaknesses in their\nrisk assessment approach and indicated they planned to improve it, these weaknesses were not\nrecorded on a POA&M. POA&Ms also did not identify residual risks for which additional\ncontrols are needed, the lack of contingency plans for components of a certified and accredited\nsystem, or the need for additional testing to ensure that systems are certified at a level\ncommensurate with their sensitivity. The lack of documented management, operational, and\ntechnical controls in the security plans and any associated system deficiencies should have been\nidentified, as discussed in finding II, and included on the POA&Ms.\n\nRecommendation\n\nThe director of the Census Bureau should take the necessary actions to ensure that POA&Ms\nappropriately document all known information security weaknesses and track corrective actions\nto closure.\n\nSynopsis of Census\xe2\x80\x99s Response: The POA&M process has modified, and the IT security\nofficer has begun notifying system owners and DAAs of the status of published weaknesses of\ntheir systems and the status of the corrective actions through monthly reports.\n\nOIG Comment: It is unclear whether the modification to the POA&M process discussed in this\nresponse will ensure that all known security weaknesses are included on POA&MS. POA&Ms\nmust contain all known security weaknesses, including those identified in the certification and\naccreditation process.\n\n\n\n\n                                                15\n\x0cU.S. Department of Commerce                                             Inspection Report OSE-16519-1\nOffice Of Inspector General                                                            September 2004\n\n\n\nIV. Additional Efforts Are Needed to Improve Specialized Security Training\n\nDepartment policy requires operating units to provide specialized training for personnel having\nsignificant IT security responsibilities and to track progress made toward providing the training.\nWe reported in last year\xe2\x80\x99s independent evaluation that training for personnel with significant\ninformation security responsibilities appeared to be inconsistent and incomplete at Census and\nthe other units we reviewed.\n\nIn our current review of the Census Bureau, we found that some progress has been made toward\nproviding specialized training. The bureau\xe2\x80\x99s security policy provides a list of staff positions that\nmight require specialized security training and allows the IT security officer the discretion to\nexpand the list.\n\nIn order to provide a more consistent approach to specialized IT security training, the\nDepartment has acquired an enterprise license for a web-based information security training\nprogram that offers specialized training courses in accordance with NIST 800-16 guidance and\nhas made the program available to its operating units. The bureau\xe2\x80\x99s IT security officer has\nworked with security officers in its various divisions to identify courses that are appropriate for\nIT system security officers, system administrators, database administrators, DAAs, and other\npersonnel who have security responsibilities.\n\nThe IT Security Office maintains a database that tracks specialized training taken by employees\nvia the program, and is developing reports to identify (1) who received specialized training, (2)\nwhat the specialized training consisted of, and (3) when employees actually took the classes.\nCensus plans to have the reporting capability in place by the end of FY 2004. Though such\nreports are not yet available, the IT security officer reports that only a small percentage of system\nand database administrators have completed courses related to their responsibilities. The bureau\nneeds to make this training a priority and ensure that all personnel in need of specialized IT\nsecurity training complete the courses relevant to their positions in a timely manner.\n\nRecommendations\n\nThe director of the Census Bureau should ensure that:\n\n1. Bureau personnel having IT security responsibility complete specialized security training\n   related to their responsibilities.\n\nSynopsis of Census\xe2\x80\x99s Response: The IT security office is working with the Human\nResources Division to identify personnel with significant security responsibilities, who will then\nbe notified of their training requirement. Computer-based training will be available.\n\n2. Reports for tracking specialized training are developed and available for management review\n   by the end of FY 2004.\n\nSynopsis of Census\xe2\x80\x99s Response: The bureau has acquired a system to accomplish this.\n\n\n\n                                                 16\n\x0cU.S. Department of Commerce                                                           Inspection Report OSE-16519-1\nOffice Of Inspector General                                                                          September 2004\n\n\n\nV.       A Patch Management Process Has Been Established\n\n Department policy requires each\noperating unit to have a process for                   A patch is a piece of software code that is inserted into a\nidentifying, tracking, and reporting on                program to fix a defect. Patches are developed and released\nsecurity patch management. Census has                  by software vendors when vulnerabilities are discovered.\n                                                       Patch management is critical to protecting computer systems\nimplemented a patch management                         from malicious attacks, and includes acquiring, testing,\nprocess to identify, test, apply, and                  applying, and monitoring patches to a computer system. The\nmonitor the status of security patches                 CERT Coordination Center* points out that about 95 percent\nrelevant to bureau systems. The process                of all network intrusions could be avoided by keeping systems\ndetermines the need for patches and                    up to date with appropriate patches. Thus it is important that\n                                                       agencies have in place effective patch management policy and\nacquires, tests, applies, and monitors                 procedures.\npatches to its information system\ncomponents.                                            (*The CERT Coordination Center is a repository of Internet security\n                                                       expertise located at the Software Engineering Institute, a federally\n                                                       funded research and development organization operated by Carnegie\nPatch management is initiated by both                  Mellon University.)\nthe bureau\xe2\x80\x99s computer incident response\nteam (CIRT) and members of the IT\nSecurity Office. Based primarily on alerts received from the Department\xe2\x80\x99s CIRT and the Federal\nComputer Incident Response Center (FedCIRC), 9 the bureau\xe2\x80\x99s CIRT sends an e- mail alert\ndocumenting necessary corrective actions to the local area network configuration management\nteam (LAN CMT), which tracks whether appropriate action is taken and sends an e-mail\nconfirmation to the bureau\xe2\x80\x99s CIRT. The IT Security Office validates whether appropriate\ncorrective actions have been taken by performing vulnerability scans for specific alerts on\naffected systems.\n\nIn addition, members of the IT Security Office subscribe to various vendor notification lists and,\nupon learning of available security patches, e- mail the LAN CMT, which ensures that\nappropriate system administrators are notified to install the applicable patches. The bureau\nindicated that about 75 percent of all patches are tested before being applied to production\nsystems and that patches associated with high criticality alerts are likely to be applied without\ntesting.\n\nCensus uses commercial software products to maintain a current inventory of workstations,\nservers, and network devices. The products also identify the operating system and application\nsoftware installed on them as well as applicable vulnerabilities, and distribute appropriate\npatches. The IT Security Office uses network scanners to confirm that patches for known\nvulnerabilities have been applied.\n\nWhile we confirmed that the bureau has implemented a process to address this important area,\ntime and resource constraints prevented us from confirming its effectiveness, and we have no\nrecommendations for this finding.\n\n9\n  FedCIRC is the federal civilian agencies\xe2\x80\x99 focal point for computer security incident reporting, prevention, and\nresponse. It is located in the Department of Homeland Security.\n\n\n\n                                                         17\n\x0c\x0c\x0c"